Get the Skills you need from Home with SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Advanced Zeek Usage: Scripting and Framework

  • Tuesday, September 10th, 2019 at 10:30 AM EDT (14:30:00 UTC)
  • David Szili
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


The open-source Network Security Monitor (NSM) and analytics platform Zeek (formerly known as Bro) became well-known in the information security industry among professionals. At its core, Zeek inspects traffic and creates an extensive set of detailed, well-structured log files that record a networks activity. As it is very scalable and can run on commodity hardware, Zeek provides an alternative to commercial solutions. Most deployments run with little or no configuration customization, thus only generating the default set of log files.

However, Zeek is so much more than just log files. It has a domain-specific, event-driven, Turing-complete scripting language that allows you to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or generating statistics. It also enables security analysts to modify, extend, and optimize logs, or to create new log files. Zeek comes with a broad set of libraries, called frameworks to facilitate script development.

This webcast gives an introduction to Zeek Scripting, starting with the basics and demonstrating the potential within this powerful platform through real-life examples. The second half of the webcast is going to show how to use Zeek frameworks such as the Intelligence Framework to consume and detect indicators from threat intelligence feeds.

Speaker Bio

David Szili

David Szili is a SANS instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. A managing partner and CTO at a Luxembourg-based consulting company, he has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. David holds several IT security certifications, including the GSEC, GCED, GCIA, GCIH, GMON, GNFA, GYPC, GMOB, OSCP, OSWP and CEH. He is also a member of the BSides Luxembourg conference organizing team.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.